Health care exchanges continue to hit rough patches, as the United States government has revealed that the
federal health care portal Healthcare.gov was breached. While there is no evidence that any personal information from the 5.4 million people applying through the site was stolen during the event, the attack marks the first time an intrusion has successfully accessed systems attached to the website.
The system that was breached is said to be a server that is only used to test code for the website, officials told the
Wall Street Journal. However, the server was connected to parts of the Heathcare.gov site that does house sensitive data, according to an official at the Department of Health and Human Services (HHS). That area of the network contains better security, so while a compromise of the data could have occurred, the intruder would have had a tough time accessing it. The agency found evidence of the breach on August 25 in a routine scan.
"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," said HHS. "We have taken measures to further strengthen security."
Currently, officials don't know how the hacker gained access to the system, but the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and the National Security Agency were called in to investigate. It isn't believed that the attack was by a "state-backed actor" at this time, even with some of the IP addresses traced back to overseas locations.
DHS spokesman S.Y. Lee also confirmed that there was no evidence that data had been stolen during the breach. He added that the agency would continue to "monitor the situation and help develop and implement precautionary mitigation strategies as necessary."
It's believed that the hacker that gained access wasn't specifically attempting to target the portal, as "malicious software" was injected to be used in future attacks on other sites. The intrusion was traced back to July by the investigators involved, finding nothing but the installation of the software to be used in denial-of-service (DoS) attacks. Information from the investigation pointed to both private and federal sites being scanned by the hacker.
What's troublesome is the server that was accessed was never intended to be connected to the Internet. Because of this, it had "low security settings" and a default password required for access. Officials are concerned that the hacker was able to gain access via the basic security flaw.
These sorts of attacks are common on Internet-connected sites, something that the industry treats as an annoyance more than anything else. The HHS says it takes cybersecurity seriously, telling the paper that it undergoes quarterly audits through an outside security firm. It also does daily scans and "drill-hacking exercises." DHS notes that had such a breach happened to anywhere other than Healthcare.gov, "it wouldn't be news."
News of a breach comes at a troubling time for the insurance gateway, as the next open enrollment period is ramping up for November. Citizens that weren't able to obtain health insurance by the last deadline, or because of issues with state programs, will be flocking to the site to sign up in order to avoid penalties.